X-Git-Url: https://git.exim.org/exim.git/blobdiff_plain/ec4b68e5d820109e5954329013a911d4032bc4dc..73305f2ddd22b79d59780a522e16b233228f2ad3:/src/src/tls-gnu.c diff --git a/src/src/tls-gnu.c b/src/src/tls-gnu.c index c582af79f..5a37fae56 100644 --- a/src/src/tls-gnu.c +++ b/src/src/tls-gnu.c @@ -39,6 +39,10 @@ require current GnuTLS, then we'll drop support for the ancient libraries). #include /* man-page is incorrect, gnutls_rnd() is not in gnutls.h: */ #include +/* needed to disable PKCS11 autoload unless requested */ +#if GNUTLS_VERSION_NUMBER >= 0x020c00 +# include +#endif /* GnuTLS 2 vs 3 @@ -172,6 +176,15 @@ before, for now. */ #define HAVE_GNUTLS_SESSION_CHANNEL_BINDING #define HAVE_GNUTLS_SEC_PARAM_CONSTANTS #define HAVE_GNUTLS_RND +/* The security fix we provide with the gnutls_allow_auto_pkcs11 option + * (4.82 PP/09) introduces a compatibility regression. The symbol simply + * isn't available sometimes, so this needs to become a conditional + * compilation; the sanest way to deal with this being a problem on + * older OSes is to block it in the Local/Makefile with this compiler + * definition */ +#ifndef AVOID_GNUTLS_PKCS11 +#define HAVE_GNUTLS_PKCS11 +#endif /* AVOID_GNUTLS_PKCS11 */ #endif @@ -911,6 +924,19 @@ if (!exim_gnutls_base_init_done) { DEBUG(D_tls) debug_printf("GnuTLS global init required.\n"); +#ifdef HAVE_GNUTLS_PKCS11 + /* By default, gnutls_global_init will init PKCS11 support in auto mode, + which loads modules from a config file, which sounds good and may be wanted + by some sysadmin, but also means in common configurations that GNOME keyring + environment variables are used and so breaks for users calling mailq. + To prevent this, we init PKCS11 first, which is the documented approach. */ + if (!gnutls_allow_auto_pkcs11) + { + rc = gnutls_pkcs11_init(GNUTLS_PKCS11_FLAG_MANUAL, NULL); + exim_gnutls_err_check(US"gnutls_pkcs11_init"); + } +#endif + rc = gnutls_global_init(); exim_gnutls_err_check(US"gnutls_global_init"); @@ -970,7 +996,7 @@ if (rc != OK) return rc; /* set SNI in client, only */ if (host) { - if (!expand_check(state->tlsp->sni, "tls_out_sni", &state->exp_tls_sni)) + if (!expand_check(state->tlsp->sni, US"tls_out_sni", &state->exp_tls_sni)) return DEFER; if (state->exp_tls_sni && *state->exp_tls_sni) { @@ -987,7 +1013,7 @@ else if (state->tls_sni) "have an SNI set for a client [%s]\n", state->tls_sni); /* This is the priority string support, -http://www.gnu.org/software/gnutls/manual/html_node/Priority-Strings.html +http://www.gnutls.org/manual/html_node/Priority-Strings.html and replaces gnutls_require_kx, gnutls_require_mac & gnutls_require_protocols. This was backwards incompatible, but means Exim no longer needs to track all algorithms and provide string forms for them. */ @@ -1529,7 +1555,6 @@ Arguments: fd the fd of the connection host connected host (for messages) addr the first address (not used) - dhparam DH parameter file (ignored, we're a client) certificate certificate file privatekey private key file sni TLS SNI to send to remote host @@ -1545,10 +1570,14 @@ Returns: OK/DEFER/FAIL (because using common functions), int tls_client_start(int fd, host_item *host, - address_item *addr ARG_UNUSED, uschar *dhparam ARG_UNUSED, + address_item *addr ARG_UNUSED, uschar *certificate, uschar *privatekey, uschar *sni, uschar *verify_certs, uschar *verify_crl, - uschar *require_ciphers, int dh_min_bits, int timeout) + uschar *require_ciphers, +#ifdef EXPERIMENTAL_OCSP + uschar *require_ocsp ARG_UNUSED, +#endif + int dh_min_bits, int timeout) { int rc; const char *error; @@ -1945,6 +1974,13 @@ if (exim_gnutls_base_init_done) log_write(0, LOG_MAIN|LOG_PANIC, "already initialised GnuTLS, Exim developer bug"); +#ifdef HAVE_GNUTLS_PKCS11 +if (!gnutls_allow_auto_pkcs11) + { + rc = gnutls_pkcs11_init(GNUTLS_PKCS11_FLAG_MANUAL, NULL); + validate_check_rc(US"gnutls_pkcs11_init"); + } +#endif rc = gnutls_global_init(); validate_check_rc(US"gnutls_global_init()"); exim_gnutls_base_init_done = TRUE;